# Service ## **Service Analysis in Incident Response (Linux Systems)** Services in Linux play a vital role in the system's operation. Attackers often exploit this functionality to maintain persistence, allowing them to regain access after system reboots. Here's a comprehensive guide to detecting and analyzing malicious services during incident response. *** ## **Key Concepts of Linux Services** 1. **Service Status Types**: * **Active (running)**: Service is currently running. * **Active (exited)**: Service has completed its task and exited. * **Active (waiting)**: Service is running, waiting for a trigger. * **Inactive**: Service is not running. * **Enabled**: Configured to start at boot. * **Disabled**: Will not start automatically at boot. *** ## **1. Listing and Investigating Services** **Using `service` Command** ```bash service --status-all ``` * Lists all available services along with their status. **Using `systemctl` Command** ```bash systemctl list-units --type=service ``` * Lists currently loaded services with their statuses. **List All Enabled Services (Startup Services)** ```bash systemctl list-unit-files --type=service | grep enabled ``` *** ## **2. Identifying Suspicious or Unknown Services** Attackers often create services with inconspicuous names or names similar to legitimate services (e.g., `cron_service` vs. `cron`). **Search for Specific Services** If you suspect a service: ```bash sudo systemctl status SERVICE_NAME ``` This shows: * Service status. * Executable path. * Recent logs. **Inspect the Service’s Unit File** ```bash cat /lib/systemd/system/SERVICE_NAME.service ``` Look for: * **ExecStart**: Path to the executable/script that starts the service. * **Restart**: Conditions under which the service restarts. * **Environment**: Variables passed to the service. **Analyze the Unit File Modification Details** ```bash stat /lib/systemd/system/SERVICE_NAME.service ``` * **Modified Time**: Can indicate unauthorized changes. * **Access Time**: Shows when it was last accessed. *** ## **3. Review Historical and Real-Time Logs** Logs can reveal service creation, modifications, and executions. **Analyze System Logs** To check for service-related logs: ```bash sudo journalctl | grep service ``` **Review Logs for a Specific Service** ```bash sudo journalctl -u SERVICE_NAME ``` Use time filters for more targeted analysis: ```bash sudo journalctl -u SERVICE_NAME --since "2023-11-10" --until "2023-11-13" ``` **Check Logs for All Activities in a Time Range** ```bash sudo journalctl --since "2023-11-10 00:00" --until "2023-11-13 23:59" ``` *** ## **4. Investigate and Isolate Suspicious Services** **Check Service Dependencies** Some malicious services rely on other services or scripts: ```bash systemctl list-dependencies SERVICE_NAME ``` **Inspect Processes Started by the Service** ```bash ps aux | grep ``` * Find and analyze processes associated with the service's PID. *** ## **5. Remediation: Stopping and Removing Malicious Services** ### **1. Stop the Service** Prevent it from running: ```bash sudo systemctl stop SERVICE_NAME ``` ### **2. Disable the Service** Prevent it from starting on boot: ```bash sudo systemctl disable SERVICE_NAME ``` ### **3. Delete the Service File** Remove the service configuration: ```bash sudo rm /lib/systemd/system/SERVICE_NAME.service ``` ### **4. Reload Daemon to Apply Changes** ```bash sudo systemctl daemon-reload ``` ### **5. Verify Removal** Ensure the service no longer exists: ```bash systemctl list-units --type=service | grep SERVICE_NAME ``` *** ## **6. Post-Incident Actions** 1. **Review Recent Changes**: * Use `find` to list recently modified files: ```bash find /etc/systemd/system/ -type f -mtime -5 ``` 2. **Reinforce Access Controls**: * Restrict who can create or modify services. 3. **Enable File Integrity Monitoring**: * Use tools like **Tripwire** or **AIDE** to monitor system files for changes. 4. **Regular Audits**: * Periodically review service configurations and logs for anomalies. *** ## **Key Points** Linux services are a common vector for attackers aiming to maintain persistence. By analyzing service configurations, system logs, and active processes, incident responders can uncover and mitigate malicious activities. Proper eradication of malicious services ensures that attackers cannot re-establish control, securing the system against further exploitation.